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IMAGING SYSTEM MONITORED OR CONTROLLED TO ENSURE 
FIDELITY OF FILE CAPTURED 

BACKGROUND 

Related Cases 

[0001] This is a continuation-in-part of Serial No. 09/660,811, filed on 
September 13, 2000, entitled DIGITAL IMAGING SYSTEM HAVING 
DISTRIBUTION CONTROLLED OVER A DISTRIBUTED NETWORK. 

Field of the Invention 

[0002] The invention relates to three-dimensional imaging. More 

specifically, the invention relates to capture and distribution of three-dimensional 
digital images. 

Background 

[0003] Pictures have long been used to prove the condition of objects 

photographed. Such proof may arise in the context of insurance claims, lawsuits, 
etc. With the advent of digital photography and the proliferation of software for 
manipulation of digital pictures, the reliability of pictures has diminished and the 
opportunity for fraud has increased. 

[0004] In the case of digital pictures, once downloaded from the camera to 

the computer, the user typically has complete access to all the pixels that make up 
the image. Thus, a marginally computer savvy teenager with Adobe Photoshop™ 
can generate very realistic, yet fraudulent digital images. With a host of digital 
images now posted on the Internet and digital images generally, there is an 
ongoing credibility gap in connection with the fidelity of such images posted 
when compared with the image actually captured. 



004956.P005X 



1 



Express Mail No.: EM522829433US 



BRIEF DESCRIPTION OF THE DRAWINGS 



[0005] The invention is illustrated by way of example and not by way of 

limitation in the figures of the accompanying drawings in which like references 
indicate similar elements. It should be noted that references to "an" or "one" 
embodiment in this disclosure are not necessarily to the same embodiment, and 
such references mean at least one. 

[0006] Figure 1 is a block diagram of a system of one embodiment of the 

invention. 

[0007] Figure 2 is a block diagram of a system of one embodiment of the 

invention. 

[0008] Figure 3 is a block diagram of an alternative embodiment of the 

invention. 

[0009] Figure 4 is a flow diagram of operation of the host in one 

embodiment of the invention. 

[0010] Figure 5 is a flow diagram of operation at a server node in one 

embodiment of the invention. 

[0011] Figure 6 is a flow diagram of operation in a digitizer in one 

embodiment of the invention. 

[0012] Figure 7 is a flow diagram of setup and data capture in a digitizer of 

one embodiment of the invention. 

[0013] Figure 8 is a block diagram of a network image capture system of 

one embodiment of the invention. 

[0014] Figure 9 is a flow diagram of a system of one embodiment of the 

invention. 

[0015] Figure 10 is a flow diagram of an alternative embodiment of a 

system of the invention. 



004956.P005X 



2 



Express Mail No.: EM522829433US 



DETAILED DESCRIPTION 



[0016] Figure 1 is a block diagram of a system of one embodiment of the 

invention. The distributed network 100 such as the Internet provides an 
interconnection between a plurality of user nodes 110, a server node 120 and a 
host 150. Server node 120 may be any conventional server or a collection of 
servers to handle traffic and requests over the distributed network. User nodes 
may be discrete computers running a web browser, a corporate network, another 
server site, or any other node on the distributed network. Host 150 may be a 
computer (laptop, desktop, hand-held, server, workstation, etc.), an internet 
appliance or any other device through which data may be forwarded across the 
distributed network. 

[0017] The host 150 may communicate over a wired link such as a universal 

serial bus (USB) or wireless link 162 to a digitizer 170. The digitizer 170 may be 
any of the myriad noncontact digitizers. One suitable digitizer is described in 
copending patent application Serial No. 09/660,809, entitled DIGITIZER USING 
INTENSITY GRADIENT TO IMAGE FEATURES OF THREE-DIMENSIONAL 
OBJECTS and assigned to the assignee of the instant application. 

[0018] In one embodiment, digitizer 170 is physically independent of an 

orientation fixture 180. For user convenience, it is desirable to minimize space 
permanently allocated to the system and minimize setup time. Most users will not 
be able to allocate sufficient space to leave the system configured for use at all 
times. The user will therefore be required to reintroduce some portion of the 
system prior to each use. The need to swap cables and otherwise rewire serves as 
a significant deterrent to widespread consumer adoption. 

[0019] As used herein, "physically independent" means that no mechanical 

or wired electrical connection must exist between the physically independent units 
during operation. By way of example and not limitation, two devices coupled 
together by an electrical signaling wire either directly or through a host computer, 
are not physically independent, whereas two devices that have no physical 
coupling and communicate over a wireless link are deemed "physically 
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independent/' Connection to a common power source, e.g., two outlets in a 
house, is not deemed to destroy physical independence. 

[0020] Orientation fixture 180 repositions an object to be digitized by 

digitizer 170 such that different aspects of the object are exposed relative to the 
digitizer at different points in time. In one embodiment the orientation fixture 180 
is a turntable. One suitable turntable is described in copending application Serial 
No. 09/660,810 entitled WIRELESS TURNTABLE and assigned to the assignee of 
the instant application. Orientation fixture 180 may also be a robotic arm or other 
robotic device, or may be a turntable in conjunction with a robotic arm or other 
robotic device. Other mechanisms that are capable of exposing different aspects of 
an object relative to the digitizer are deemed to be within the ambit of orientation 
fixtures. 

[0021] As previously noted the orientation fixture is physically independent 

of the digitizer. One premise of the system is relative ease of setup to facilitate 
wide acceptance. Thus, with the physical independence it is desirable that the 
digitizer 170 and orientation fixture 180 be able to "find" each other. To that end, 
the digitizer 170 may be equipped to sweep an area looking with its sensing 
apparatus for a feature of the orientation fixture 180. The orientation fixture 180 
may include a feature such as indicia, for example, acquisition indicia 188, or may 
contain some other physically observable structure that permits the digitizer to 
identify and acquire the orientation fixture 180 without the user introducing or 
removing a separate reference object. Acquiring the orientation fixture may 
permit, for example, any of automatic calibration of the digitizer, automatic 
determination of the relative position of the digitizer and orientation fixture, and 
fixture's orientation or condition. In one embodiment, imaging the feature 
provides an indication of focal distance as the perspective of the feature varies in a 
known way with distance. Calibration may be performed by imaging the feature 
and comparing the results to a set of reference data corresponding to the feature. 
In this manner the digitizer settings can be automatically optimized to provide the 
best available accuracy under existing conditions. Alternatively, the calibration 
can be performed based on a reference target or path entirely within the digitizer. 
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[0022] Alternatively, the orientation fixture may have a localized radiation 

source 186, which permits the digitizer 170 to sweep and identify the location of 
the orientation fixture based on the localized radiation from radiation source 186. 
It is also within the scope and contemplation of the invention to have the 
orientation fixture 170 position itself relative to the digitizer, such that the 
orientation fixture controls the acquisition by the digitizer 170 of the orientation 
fixture 180 and the object to be oriented thereby. In the system of such 
embodiment the orientation fixture would likely be a mobile robotic unit. 

[0023] In one embodiment, the digitizer communicates with the orientation 

fixture across a wireless link 184 to coordinate the orientation of the object with 
image capture by the digitizer. The wireless link may be infrared ("IR")/ radio 
frequency ("RF") , optical signaling, or any other mode of wireless 
communication. In one embodiment the orientation fixture 180 includes a self 
contained power source 194 such as a battery. The self-contained power source 
194 may also be a solar panel, fuel cell, or any other suitable power source. 

[0024] In one embodiment of the invention, digitizer 170 captures 

information about an object positioned by orientation fixture 180 from which a 
three-dimensional model can be derived. Controller 192 in digitizer 170 controls 
the coordination between the data capture by digitizer 170 and aspect change by 
the orientation fixture 180. It is within the scope and contemplation of the 
invention for the controller to reside in the host, the digitizer, the orientation 
fixture or in an independent unit. References to the controller herein are deemed 
to include without limitation all of these options. The digitizer 170 may also 
include a data analyzer 196 that reviews captured data to find errors, anomalies or 
other points of interest that warrant further investigation, including possibly 
rescanning the corresponding area. After any corrective action, the data captured 
by digitizer 170 is passed to the host 150, which renders the three-dimensional 
model from the data. The host 150 may perform compression or any other 
manipulation of the data known in the art. The three-dimensional model may 
then be sent over distributed network 100 to remote nodes such as user nodes 110 
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or a server node 120. This provides maximum ease of distribution across the 
distributed network 100. 

[0025] In some cases, control of distribution of information captured by the 

digitizer is desirable, for example, to facilitate administration of user fees. To that 
end, in one embodiment the digitizer is provided with a hardware interlock 190 
which prevents the system from operating without first receiving authorization. 
Such authorization may be provided by the server node 120 sending authorization 
data across the distributed network. Alternative locking mechanisms such as 
software or firmware-based locking mechanisms may also be employed either 
within the digitizer 170 or the host 150. Further security of the system can be 
affected by requiring an imaging application 152 on the host 150 to provide a valid 
digital signature in addition to the authorization data before enabling capture 
and/or transfer of captured data from the digitizer 170 to the host 150. 

[0026] Some embodiments of the digitizer 170 may encrypt the data 

captured prior to sending it to the host 150. In that event, unless the host is able to 
decrypt the data to render it, it may forward it on to the server node 120 across the 
distributed network and subsequent rendering of the image or three-dimensional 
model would occur on the server node 120. In this manner, the local user does not 
have access to the data from which the three-dimensional model may be derived 
unless a key is provided. In still another embodiment, the host 150 may include 
encryption capabilities and encrypt the rendered image before forwarding it on to 
the server node 120. Keying information may be provided to the digitizer and/or 
the host by the server node 120. The server node may maintain keying 
information and authorization data in a local database 122. Once the three- 
dimensional data is safely controlled by the server node 120, access to the data 
may be made available for free or at cost to the user nodes 110 or back to the host 
150. 

[0027] The digitizer may also include a field programmable gate array 

("FPGA") or other reconfigurable logic unit. In such case, the server node 
periodically may reprogram the FPGA to implement an updated or enhanced 
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algorithm for processing or security purposes, for example, as subsequently 
developed. 

[0028] Figure 2 is a block diagram of a subsystem of one embodiment of the 

invention. The subsystem of Figure 2 may be inserted in place of host 150, 
digitizer 120 and orientation fixture 180 of Figure 1. Digitizer 70 is coupled to a 
host 50. This coupling may be by a bus 60 such as the Universal Serial Bus (USB), 
IEEE 1394 bus, or any other suitable data transfer system. It is also within the 
scope and contemplation of the invention for the digitizer to communicate with 
the host via a wireless interconnection. Host 50 may be a personal computer, a 
work station, an internet appliance, or any other device that provides sufficient 
intelligence and processing power to render images from the data obtained by the 
digitizer. The digitizer 70 captures image data and may forward it to the host 50 
for rendering. In this way, the processing on the digitizer 70 may be limited, 
permitting lower cost construction. It is also within the scope and contemplation 
of the invention for the digitizer to render the image and deliver it directly to a 
distributed network. It is further within the scope and contemplation of the 
invention for the digitizer to deliver the data to a distributed network for 
rendering on a remote node. 

[0029] The digitizer 70 includes a projector to project a stripe of white light 

through a projection window 74 onto a remote object such as a person 82 on a 
turntable 80 remote from the digitizer. The digitizer also contains an image 
sensing array (ISA) aligned with an image capture window 76 which captures the 
image of the object 82 within a focal zone. In one embodiment, the ISA is a linear 
charge coupled device (CCD) or complementary metal oxide semiconductor 
(CMOS) sensor, and the focal zone is a line on the target object. In some 
embodiments, the digitizer includes a base 72 about which the upper unit, 
including the projector and the ISA, can rotate in either direction. This permits the 
focal line to be swept back and forth across a target object through an arc. This 
sweeping reduces the loss of detail in the captured image that results from 
shadowing on the object from the perspective of an immobile focal line. The 
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digitizer 70 also includes a wireless interface to communicate with a turntable 80 
via a wireless link 84. 

[0030] Turntable 80 may be the type described in co-pending application 

entitled WIRELESS TURNTABLE, Serial No. 09/660,810, assigned to the assignee 
of the instant application. Via wireless link 84, the digitizer sends commands to 
the turntable 80 and receives from the turntable indications of the angular position 
of the turntable surface relative to a home position. When the digitizer is 
activated, it searches for the turntable 80 by sending a signal to which the 
turntable 80 is required to respond. If the turntable responds, the digitizer looks 
for a predetermined pattern that is expected to be present on the turntable surface. 
For example, the pattern may be concentric circles on the turntable surface. In 
such case, based on the image captured, the digitizer can both find the turntable 
and determine its distance from the digitizer. Then after the response is received, 
the digitizer sends a "go home" signal to the turntable. In some embodiments, the 
digitizer sends acceleration and rotation profiles to the turntable to control its 
rotation. Each profile may be retained in firmware on the digitizer or downloaded 
from host 50. 

[0031] Generally speaking, the projection portion of the digitizer 70 is 

retained in fixed relation to the imaging portion. The projection portion produces 
a light stripe as noted previously on the object 82. By either sweeping the light 
stripe back and forth through the focal line or by mechanically blocking the stripe 
at a known rate, the intensity gradient can be created. In one embodiment, the 
blocking is from 0% to 100% during a cycle. Because the ISA integrates the 
illumination over time, the outline of a three-dimensional surface is reflected in 
the data captured by the ISA. This is because protruding features will remain 
illuminated longer. Accordingly, more photons are captured by the ISA 
corresponding to those features. After repeating this process one stripe at a time 
as the object is rotated by turntable 80 or through the course of sweeping the entire 
digitizer back and forth as it rotates about the base, cost effective 
three-dimensional imaging is effected. The digitizer may also be used to capture 
high resolution scans of two dimensional objects by sweeping back and forth 
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across the object. This feature is particularly desirable in the context of digitizing 
works of art. 

[0032] Figure 3 is a block diagram of an alternative embodiment of the 

invention. Again, in this embodiment user nodes 110 are coupled to a distributed 
network 100. Also coupled to distributed node 100 is server node 120 and host 
150. However, rather than being physically independent in this embodiment, the 
digitizer 270 and orientation unit 280 are coupled together to form a single integral 
unit. The unit communicates with the host by wireless link 262. Alternatively, the 
unit may be wired to the host by a USB or any other suitable wired 
communication link. A digitizer may use a linear image sensor 200 to image an 
object on the orientation fixture 280. A light source 274 may provide the lighting 
used by the image sensing array to discern the three-dimensional data. By 
integrating the digitizer and orientation unit, setup of the system is simplified. 
The digitizer may be rotatably coupled so that it can sweep its focal zone back and 
forth across an object positioned by the orientation fixture 280. This embodiment 
is particularly suitable for small-scale objects such as jewelry, in which the desired 
focal distance is relatively short. The other features discussed above in connection 
with Figure 1 may equally be applied to embodiments as shown in Figure 3. 

[0033] Figure 4 is a flow diagram of operation of the host in one 

embodiment of the invention. At functional block 400, host requests authorization 
to scan from a remote node (such as the server node). At functional block 402, the 
host node receives authorization data across the distributed network. At 
functional block 404, the host forwards authorization data to the digitizer. At 
functional block 406 the host receives scan data from the digitizer. 

[0034] At decision block 408 a determination is made whether the three- 

dimensional model should be rendered locally. If the rendering should not occur 
locally the data is forwarded to a remote node at functional block 420. The 
forwarded data may be encrypted or unencrypted, compressed or not 
compressed, and the forwarding protocol may be cell-based, packet-based or any 
other transmission protocol commonly used on distributed networks. 
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[0035] If the rendering should occur locally, a determination is made at 

decision block 422 if the data is encrypted. If the data is not encrypted at decision 
block 422, the image or three-dimensional model is rendered from the data at 
functional block 412. A determination is then made at decision block 414 whether 
the rendered model should be stored locally. If it is determined that the model 
should be stored locally, the model is stored on the host at functional block 416. If 
it is determined that the model should not be stored locally, the rendered model is 
forwarded to the remote node at functional block 418. In some cases, if the image 
is stored locally, it may not be forwarded to the remote node. In one embodiment 
of the invention, the authorization data indicates if local storage is permitted. If 
local storage is not permitted, the imaging application may be made responsible 
for electronic shredding of any temporary buffer space used in forwarding the 
scanned data. 

[0036] If at decision block 422 it is determined that the data is encrypted, a 

request is made across the distributed network for keying information (or other 
information that permits decryption) from the remote node at functional block 
424. The request may include payment for access privileges. Once the keying 
information is received at functional block 426, the host is able to decrypt the data 
at functional block 428. The flow then continues at functional block 412 as above 
described. 

[0037] Figure 5 is a flow diagram of operation at a server node in one 

embodiment of the invention. At functional block 500 the server node receives a 
request for scan authorization. A determination is made at decision block 502 if 
the requesting account is in good standing. If it is not, authorization is declined at 
functional block 526. If the account is in good standing, the authorization data is 
sent to the requester at functional block 504. A determination is made at decision 
block 506 if the requester is to render the image. If the requester is to render the 
image, a determination is made at decision block 508 whether encryption is 
required. Requiring encryption may be at the option of the server node as part of 
the use authorization. If encryption is required, the server receives a request to 
decrypt at functional block 510. The server node may then send keying 
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information (or other information that permits decryption) to the requester at 
functional block 512. If no encryption is required or after the keying information 
has been sent, the server node may receive the rendered three-dimensional model 
at functional block 514. 

[0038] If at decision block 506 the requester is not to render the image, the 

server node receives the scan data and decrypts as necessary at functional block 
516. The server then renders the three-dimensional model at functional block 518. 
After the three-dimensional model is rendered by the server or received by the 
server, the model is stored for subsequent distribution at functional block 520. 
Once stored, the server may provide the model to any arbitrary node or the 
distributed network. 

[0039] At functional block 522, the request is received for access to a model. 

At decision block 524 a determination is made whether to allow access to the 
model to the requester. Such a determination may be made based on 
predetermined access privilege to different models, including whether the 
requester was the creator of the model, access privilege level established by the 
creator, or based on some payment for such access. If it is determined that access 
to the model should be allowed, the model is sent to the requester at functional 
block 526. The model may be sent in any form and may be encrypted for security. 
In some embodiments the requestor may be given the option of the file type sent. 
Otherwise, access to the request is declined. 

[0040] Figure 6 is a flow diagram of operation in a digitizer in one 

embodiment of the invention. At functional block 600, authorization data is 
received from the host. The determination is made at functional block 602 if the 
authorization data is valid. Authorization data may include a code and, for 
example, a digital signature for the imaging application to ensure that an 
authorized imaging application is operating on the host. If the authorization data 
is valid, the image capture system is unlocked and enabled at functional block 604. 
At functional block 606, the digitizer captures scan data for the object positioned 
by the orientation fixture. A determination is then made at decision block 608 
whether the scan data should be secured. If the scan data should be secured, the 
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digitizer may encrypt the data at functional block 612. If the data need not be 
secured or after encryption, the scan data may be sent to the host at functional 
block 614. At functional block 616, the image capture system is relocked. 

[0041] In one embodiment the server node is able to control both the 

enablement of the imaging subsystem to operate and access to the data 
subsequently captured. This permits remote control of a widely distributed 
network of imaging subsystem having broad user appeal due to low cost and ease 
of operation. 

[0042] Figure 7 is a flow diagram of setup and data capture in a digitizer in 

one embodiment of the invention. At functional block 702, the digitizer scans for 
the orientation fixture. In one embodiment, this may take the form of the digitizer 
sweeping an arc around it looking for a distinctive feature. At functional block 
704, the digitizer acquires the orientation fixture. At functional block 706, the 
digitizer identifies a feature on the digitizer from which it can derive certain 
information. A featured datum is located at functional block 708. The featured 
datum provides a reference from which, e.g., the center of the turntable, may be 
located. At functional block 710, feature distortion is compared to a saved 
reference value, for example, this distortion may either be of the feature or of the 
entire orientation fixture. Based on this comparison, the relative position is 
calculated at functional block 712. At functional block 714, the same distortion can 
be used to calculate and set calibration data to optimize the accuracy of 
subsequent scans based on existing conditions. At functional block 716, the 
digitizer becomes ready to scan. 

[0043] At functional block 718, the digitizer begins to scan and capture data 

from which a three-dimensional model of the object being scanned may be 
derived. At decision block 720, a determination is made if the scan is complete. If 
the scan is not complete, a determination is made at decision block 722 if the 
partial scan is corrupt, anomalous, or otherwise unusable. If the data is not usable, 
a partial rescan may be performed for that region of the object at functional block 
724. If at decision block 720 the scan is complete, the scan data is analyzed to 
identify points of interest. At functional block 726, those points of interest may 



004956.P005X 



12 



Express Mail No.: EM522829433US 



include anomalous data, errors, features for which greater resolution is desirable, 
or any other facet of the object that warrants further investigation or review. A 
determination is made at decision block 728 whether any points of interest are 
present. If there are points of interest present, a determination is made at decision 
block 730 if all points of interest have been addressed. If all points of interest have 
not been addressed at functional block 732, the system rescans a portion of the 
object corresponding to a point of interest. This rescan may be conducted at a 
higher resolution than the original scan, the same resolution as the original scan, 
or even using an alternative image capture method. At functional block 734, the 
model is adjusted based on the rescan. Flow then returns to decision block 730 to 
determine if all points of interest have been addressed. If they have, the system 
returns to identify points of interest at functional block 726. In this manner, if the 
rescan adjustment creates additional points of interest, those will subsequently be 
picked up and addressed. If at decision block 728 no points of interest are present, 
the system renders the image at functional block 736. 

[0044] Figure 8 is a block diagram of a network image capture system of 

one embodiment of the invention. In one embodiment, the image capture system 
(ICS) 800 is coupled through a distributed network 830 to a remote node 840. The 
ICS 800 may be a three dimensional capture system as described above or a more 
traditional two dimensional imaging system. Remote node 840 may include web 
servers and one or more databases including an image database 842 and access 
rights database 844 and a log database 846. These databases may be instantiated 
as a single database or plurality of related databases. Access rights may be user 
specified or automatically defined. In one embodiment, remote node 840 either 
monitors or controls image capture system 800. 

[0045] If remote node 840 only monitors, it may only watch the state of the 

ICS 800. As used herein, "state information" may include any or all of the 
following: a time of event, an identification of the ICS, a network address of the 
ICS, a parameter of capture, a local access log and an automatically assigned 
index. In such embodiment, the remote node may not be able to prevent 
production of a fraudulent image record, but may be able to identify and, 
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therefore, certify image records that have not been tampered with between 
capture and storage at the remote node 840. In one embodiment, Java® script or a 
Java® applet may be used to monitor the settings and activities of the ICS 800. If 
the remote node 840 can control the ICS 800, it can prevent local access to the 
digital record of the image captured or only allow local access to a copy at the 
digital record and can control the settings and other parameters of capture. In 
this manner, the remote node 840 can ensure that a digital record of an image 
captured received at the remote node 840 is authentic. In one embodiment, this 
control may be exercised through use of Java® script or a Java® applet sent from 
the remote node 840. 

[0046] The ICS 800 may have a tamper resistant housing 810 which contains 

an image sensing array (ISA) 804 under the control of a processor 802. A tamper 
sensor 812 detects tampering with the housing 810 and signals the processor 802 
when tampering is detected. Various mechanisms may be used for the tamper 
sensor 812 including switches tripped in response to opening of the housing. 
Alternatively, some feature such as a paper label inside the device may be used in 
conjunction with the ISA to detect tampering. For example, if the label is torn by 
opening the housing, subsequent images of the label captured by the ISA will 
show the tampering. In one embodiment, the tamper sensor 812 is a single use 
device like a fuse that once broken all images captured are suspect. In another 
embodiment, a code used for authentication may be stored in a battery backed up 
memory for which the battery backup is disconnected responsive to tampering 
with or opening the housing. The disconnection results in deletion of the 
necessary code after which authentication is disabled. 

[0047] Image sensing array 804 may be used to capture an image of a target 

850 under the control of processor 802. A memory 806 is coupled to the processor 
802. In one embodiment, image capture system 800 is calibrated prior to 
distribution and calibration data 814 is retained in a section of the memory 806. 
The processor 802 controls the parameters of capture which may include without 
limitation exposure setting, spectral filter setting, illumination level, resolution of 
capture, orientation of object, orientation of scanning and use of the calibration 
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file. These parameters may be provided by the remote node 840 in certain 
instances, by a local host (not shown) or automatically determined within the ICS 
800. Based on the parameters, an image capture of the target 850 may occur. 

[0048] A data insertion device 816 interacts with the ISA 804 to "mark" a 

data stream produced by the ISA 804. The data insertion device (DID) 816 may 
take any of several forms. In one embodiment, a light source such as, for example 
a light emitting diode (LED) "sprays" light in a predetermined way on to the ISA 
804 during capture. In another embodiment, the DID 816 causes a precapture of 
some other optical reference such as, a serial number, bar code or other such 
reference contained within the apparatus prior to capture of the target. The 
precapture may then be encoded by the processor 802 within a capture record. 

[0049] In another embodiment, the DID 816 injects an electrical marker into 

the data read from the ISA 804. For example, a resistive network may be used to 
create a unique electrical identity for the device. The resistance value may be read 
by an analog to digital (A/D) converter to identify a single code for the device that 
may be infused into the data stream. In one embodiment, a same A/D that reads 
the ISA may be used to read the resistor values. A series of switches may 
alternatively be used to create a unique code. In another embodiment, the DID 
816 inserts data stored in a secure memory element into the data stream to act as a 
marker. 

[0050] Typical charge coupled devices (CCD) have a number of bits that are 

not used during image capture. These include dark level bits and dummy bits 
typical around the periphery of the ISA 804. These bits may provide a 
substantially unique signature for the ISA 804 unaffected by an image capture 
such that the bits may be compared with expected values (from calibration) to 
identify if an image record came from a particular CCD. It is also noted that ISA's 
by virtue of manufacturing variance typically have a unique fingerprint in that 
some pixels are more responsive than others. This fingerprint can be derived from 
the calibration data. 
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[0051] In one embodiment, an encryption engine 808 may optionally be 

provided to encrypt the digital record of the capture created by the image sensing 
array 804 prior to passing it from the tamper resistant housing 810. In one 
embodiment, public key encryption is used. In one embodiment, an encryption 
engine 808 also includes a one-way hash engine. Alternatively, encryption may be 
performed by the processor using software resident in the system, firmware, or for 
example, a Java® applet downloaded to the processor 802 as part of the image 
capture process. This permits keying information to be externally established and 
changed without reconfiguration of the ICS. In this manner, the authenticity of 
the data captured and subsequently displayed may be certified. 

[0052] In one embodiment, the processor 802, memory and related 

components, may be packaged in tamper resistant semiconductor packaging 
known in the art. In one embodiment, the ICS may employ a subset of techniques 
used with secure coprocessors analogous to those described in U.S. Patent No. 
5,757,919 entitled CRYPTOGRAPHICALLY PROTECTED PAGING SUBSET 
SYSTEM assigned to Intel Corporation. 

[0053] Figure 9 is a flow diagram of a system of one embodiment of the 

invention. At decision block 902, a determination is made if authorization is 
required to capture an image. If authorization is required, the capture is 
authorized at functional block 904. In one embodiment, the authorization is 
provided by a remote node. In another embodiment, authorization may be 
provided through, e.g. a prepaid magnetic card or other payment vehicle. Then 
after authorization or if no authorization is required, the state information from 
the image capture system is acquired at functional block 906. At functional block 
908, a capture is initiated. At decision block 910, a determination is made based on 
the state information monitored whether any unauthorized material alteration of 
the state occurred during the capture sequence. If no material alteration occurred, 
at functional block 912, the data captured may be uploaded to a remote node and 
may be subsequently certified. In some embodiments, part of the uploading 
sequence includes encrypting a digital record of the image captured. In some 
embodiments, the state information may be encoded into the digital record along 
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with the image. At decision block 914, the uploading node verifies that the data is 
authentic by checking for characteristics expected to be present in an authentic file 
created by the image capture system. If a material alteration occurred or 
verification fails, the monitoring system notes that the resulting record cannot be 
certified authentic at functional block 916. 

[0054] If verified at functional block 918, the record is certifiable and a copy 

of the record (or the relevant portion thereof) is stored in a secure environment 
such as on a remote node. At decisional block 920, a determination is made if a 
request to access the record has been made. Access requests includes requests to 
view, copy, and modify the record. If a request to access the record is received, 
information about the request is stored in a log at functional block 922. Then at 
decision block 924, an access rights database is checked to determine whether the 
requestor is authorized to access the record. If the access is authorized, access is 
granted at functional block 926. If access is granted, additional log entries are 
made regarding the type of access and parameters of access for the record at 
functional block 928. In one embodiment, log entries may include who accessed 
the record, the time accessed, any approval of the filing and network address of 
the accessor and what aspects of the image record was accessed. In some 
embodiments, if access is to modify the record, a duplicate of the unmodified 
record is automatically maintained so that at least one unmodified copy exists. 
The length that such an unmodified escrow copy is maintained may vary 
depending on the useful life of the image record. If access is not authorized at 
decision block 924, access is denied at functional block 930. In one embodiment, if 
a user of the ICS so specifies, the ICS or remote node automatically publishes the 
certified image to a set of networked recipients. In such embodiment, the access 
log may track access and approvals of such recipients. 

[0055] Figure 10 is a flow diagram of an alternative embodiment of a 

system of the invention. At functional block 1002, the state of the image capture 
system is acquired. A determination is made at functional block 1004 if the state 
falls within a defined range of acceptable states. If the state does not fall within 
that range, the state is forced to a desired value at functional block 1006. If the 
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state is acceptable or after forcing the state, the then existing state information is 
saved at functional block 1008. Capture is initiated at functional block 1010 and 
the state is maintained within the authorized limits throughout the capture 
process at functional block 1012. Flow then continues as in Figure 9 at functional 
block 912. 

[0056] In the foregoing specification, the invention has been described with 

reference to specific embodiments thereof. It will, however, be evident that 
various modifications and changes can be made thereto without departing from 
the broader spirit and scope of the invention as set forth in the appended claims. 
The specification and drawings are, accordingly, to be regarded in an illustrative 
rather than a restrictive sense. 
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